The reference SecurityConfiguration manages all the settings used by the ESAPI in a single place. In this reference
implementation, resources can be put in several locations, which are searched in the following order:

1) Inside a directory set with a call to SecurityConfiguration.setResourceDirectory( "C:\temp\resources" ).

2) Inside the System.getProperty( "org.owasp.esapi.resources" ) directory.
You can set this on the java command line as follows (for example):

java -Dorg.owasp.esapi.resources="C:\temp\resources"

You may have to add this to the start-up script that starts your web server. For example, for Tomcat,
in the "catalina" script that starts Tomcat, you can set the JAVA_OPTS variable to the -D string above.

MAX_FILE_NAME_LENGTHDeprecated.It is not clear whether this is intended to be the max file name length for the basename(1) of
a file or the max full path name length of a canonical full path name. Since it is not used anywhere
in the ESAPI code it is being deprecated and scheduled to be removed in release 2.1.

getAdditionalAllowedCipherModes()
Return List of strings of additional cipher modes that are
permitted (i.e., in addition to those returned by
#getPreferredCipherModes()) to be used for encryption and
decryption operations.

VALIDATION_PROPERTIES

ACCEPT_LENIENT_DATES

DEFAULT_MAX_LOG_FILE_SIZE

public static final int DEFAULT_MAX_LOG_FILE_SIZE

The default max log file size is set to 10,000,000 bytes (10 Meg). If the current log file exceeds the current
max log file size, the logger will move the old log data into another log file. There currently is a max of
1000 log files of the same name. If that is exceeded it will presumably start discarding the oldest logs.

MAX_REDIRECT_LOCATION

MAX_FILE_NAME_LENGTH

protected final int MAX_FILE_NAME_LENGTH

Deprecated.It is not clear whether this is intended to be the max file name length for the basename(1) of
a file or the max full path name length of a canonical full path name. Since it is not used anywhere
in the ESAPI code it is being deprecated and scheduled to be removed in release 2.1.

getEncryptionAlgorithm

public java.lang.String getEncryptionAlgorithm()

Gets the encryption algorithm used by ESAPI to protect data. This is
mostly used for compatibility with ESAPI 1.4; ESAPI 2.0 prefers to
use "cipher transformation" since it supports multiple cipher modes
and padding schemes.

getCipherTransformation

public java.lang.String getCipherTransformation()

Retrieve the cipher transformation. In general, the cipher transformation
is a specification of cipher algorithm, cipher mode, and padding scheme
and in general, is a String that takes the following form:

cipher_alg/cipher_mode[bits]/padding_scheme

where cipher_alg is the JCE cipher algorithm (e.g., "DESede"),
cipher_mode is the cipher mode (e.g., "CBC", "CFB", "CTR", etc.),
and padding_scheme is the cipher padding scheme (e.g., "NONE" for
no padding, "PKCS5Padding" for PKCS#5 padding, etc.) and where
[bits] is an optional bit size that applies to certain cipher
modes such as CFB and OFB. Using modes such as CFB and
OFB, block ciphers can encrypt data in units smaller than the cipher's
actual block size. When requesting such a mode, you may optionally
specify the number of bits to be processed at a time. This generally must
be an integral multiple of 8-bits so that it can specify a whole number
of octets.

NOTE: Occasionally, in cryptographic literature, you may also
see the key size (in bits) specified after the cipher algorithm in the
cipher transformation. Generally, this is done to account for cipher
algorithms that have variable key sizes. The Blowfish cipher for example
supports key sizes from 32 to 448 bits. So for Blowfish, you might see
a cipher transformation something like this:

"Blowfish-192/CFB8/PKCS5Padding"

in the cryptographic literature. It should be noted that the Java
Cryptography Extensions (JCE) do not generally support this (at least
not the reference JCE implementation of "SunJCE"), and therefore it
should be avoided.

setCipherTransformation

Set the cipher transformation. This allows a different cipher transformation
to be used without changing the ESAPI.properties file. For instance
you may normally want to use AES/CBC/PKCS5Padding, but have some legacy
encryption where you have ciphertext that was encrypted using 3DES.

cipherXform - The new cipher transformation. See
SecurityConfiguration.getCipherTransformation() for format. If
null is passed as the parameter, the cipher
transformation will be set to the the default taken
from the property Encryptor.CipherTransformation
in the ESAPI.properties file. BEWARE:
there is NO sanity checking here (other than
the empty string, and then, only if Java assertions are
enabled), so if you set this wrong, you will not get
any errors until you later try to use it to encrypt
or decrypt data.

Returns:

The previous cipher transformation is returned for convenience,
with the assumption that you may wish to restore it once you have
completed the encryption / decryption with the new cipher
transformation.

useMACforCipherText

public boolean useMACforCipherText()

Determines whether the CipherText should be used with a Message
Authentication Code (MAC). Generally this makes for a more robust cryptographic
scheme, but there are some minor performance implications. Controlled by
the ESAPI property Encryptor.CipherText.useMAC.

overwritePlainText

public boolean overwritePlainText()

Indicates whether the PlainText objects may be overwritten after
they have been encrypted. Generally this is a good idea, especially if
your VM is shared by multiple applications (e.g., multiple applications
running in the same J2EE container) or if there is a possibility that
your VM may leave a core dump (say because it is running non-native
Java code.

Controlled by the property Encryptor.PlainText.overwrite in
the ESAPI.properties file.

True if it is OK to overwrite the PlainText objects
after encrypting, false otherwise.

getIVType

public java.lang.String getIVType()

Get a string indicating how to compute an Initialization Vector (IV).
Currently supported modes are "random" to generate a random IV or
"fixed" to use a fixed (static) IV. If a "fixed" IV is chosen, then the
the value of this fixed IV must be specified as the property
Encryptor.fixedIV and be of the appropriate length.

getCharacterEncoding

public java.lang.String getCharacterEncoding()

Gets the character encoding scheme supported by this application. This is used to set the
character encoding scheme on requests and responses when setCharacterEncoding() is called
on SafeRequests and SafeResponses. This scheme is also used for encoding/decoding URLs
and any other place where the current encoding scheme needs to be known.

Note: This does not get the configured response content type. That is accessed by calling
getResponseContentType().

the number of failed login attempts that cause an account to be locked

getMaxOldPasswordHashes

public int getMaxOldPasswordHashes()

Gets the maximum number of old password hashes that should be retained. These hashes can
be used to ensure that the user doesn't reuse the specified number of previous passwords
when they change their password.

getMaxLogFileSize

public int getMaxLogFileSize()

Get the maximum size of a single log file from the ESAPI configuration properties file. Return a default value
if it is not specified. Once the log hits this file size, it will roll over into a new log.

getSessionIdleTimeoutLength

public int getSessionIdleTimeoutLength()

Gets the idle timeout length for sessions (in milliseconds). This is the amount of time that a session
can live before it expires due to lack of activity. Applications or frameworks could provide a reauthenticate
function that enables a session to continue after reauthentication.

getSessionAbsoluteTimeoutLength

public int getSessionAbsoluteTimeoutLength()

Gets the absolute timeout length for sessions (in milliseconds). This is the amount of time that a session
can live before it expires regardless of the amount of user activity. Applications or frameworks could
provide a reauthenticate function that enables a session to continue after reauthentication.

getPreferredJCEProvider

public java.lang.String getPreferredJCEProvider()

Retrieve the preferred JCE provider for ESAPI and your application.
ESAPI 2.0 now allows setting the property
Encryptor.PreferredJCEProvider in the
ESAPI.properties file, which will cause the specified JCE
provider to be automatically and dynamically loaded (assuming that
SecurityManager permissions allow) as the Ii>preferred
JCE provider. (Note this only happens if the JCE provider is not already
loaded.) This method returns the property Encryptor.PreferredJCEProvider.
By default, this Encryptor.PreferredJCEProvider property is set
to an empty string, which means that the preferred JCE provider is not
changed.

getCombinedCipherModes

public java.util.List<java.lang.String> getCombinedCipherModes()

Return a List of strings of combined cipher modes that support
both confidentiality and authenticity. These would be preferred
cipher modes to use if your JCE provider supports them. If such a
cipher mode is used, no explicit separate MAC is calculated as part of
the CipherText object upon encryption nor is any attempt made
to verify the same on decryption.

The list is taken from the comma-separated list of cipher modes specified
by the ESAPI property
Encryptor.cipher_modes.combined_modes.